FFT news digest Nov 23 2018

Email trouble

Toe-curling moment of the week comes from security awareness outfit, KnowBe4, which managed to break one of the basic rules of using email. In an attempt to find new business, one of its sales people sent an email to people who had attended a trade show. The problem; he forgot to use BCC and so shared everyone's email address. The Register reports that KnowBe4 explained the employee was new and hadn't started his training. Not surprisingly, the prospective leads were unimpressed and it's safe to say new business is unlikely to result from the episode. Email mistakes consistently top the list of reasons for data breaches and most of us will have experienced (or committed) them. Awareness training does help, and KnowBe4's experience demonstrates why it needs to be completed as soon as an employee joins an organisation. But there are also technical solutions that make common mistakes less likely; for example, most services support rules that limit the maximum number of external recipients.

GDPR borders

Limits to the powers of European data regulators have been demonstrated by a warning issued to the Washington Post. Following a complaint by a reader of The Register, the UK Information Commissioner's Office (ICO) told the newspaper that the options for its online subscriptions don't comply with the General Data Protection Regulation (GDPR). This is because only the most expensive option allows a subscriber to turn off tracking tools. A key concept of the GDPR is that consent must be freely given, and this can hardly be true if the only choice is not to access the website - or to pay for the most expensive subscription. The ICO told The Register that it hoped the Washington Post would heed its advice, "but if they choose not to, there is nothing more we can do in relation to this matter." In the German town of Roth, the GDPR threatened to derail the tradition of children hanging their Christmas wishlist in public. A local radio station came to the rescue by coming up with a GDPR-compliant form (which has to be signed by an adult).

SIM hijacking

A 21-year old man has been accused of stealing around $1 million in cryptocurrency by hijacking the mobile phone account of a Silicon Valley executive. According to US newspaper reports, Nicholas Truglia was arrested last week on charges of running an operation that targeted 'High Net Worth' individuals in northern California. The scheme involved a scam known as 'SIM swapping' where criminals try to persuade cellphone operators to transfer someone's number to a new device. This can allow them to take control of email accounts, harvest verification codes and steal money. As an investigator told security journalist, Brian Krebs, "we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars." In the UK, the BBC investigated the issue recently and its research shows the differing policies of operators. The best protection is to ask your provider what they're doing to prevent this type of fraud - and adopt the most stringent measures available.

Phishing news

1 in every 10 emails that reaches a user's inbox is malicious, with law firms, media companies and utilities the most targeted sectors, according to a report from security consultancy, Cofense. State of Phishing Defence 2018 (registration required) took data from more than 135 million simulated phishing emails and combined them with information about real attacks. It found that six of the 10 most effective phishing campaigns in 2018 contained "invoice" in the subject line and all of the top 10 campaigns involved a financial-related heading. Cofense is hardly a disinterested party, but its research is based on comprehensive data and it does underline the scale of the problem. It also has some useful recommendations on how to make it less likely users will rise to the bait. Also worth reading today is advice from Britain's National Cyber Security Centre on how to avoid falling victim to Black Friday scams.

Ransomware protection

Britain's National Cyber Security Centre has warned that ransomware attacks are becoming more targeted as criminals move away from indiscriminate campaigns. The NCSC says attackers are analysing victims' networks to understand their ‘value’ and, if they manage to lock the contents, will then issue a ransom demand based on what they've discovered. As part of the research, the attackers will also seek to ensure their activity is as damaging as possible. As the NCSC points out, the impact of a ransomware attack depends on an organisation's level of preparedness. It has a list of recommendations which provide an excellent framework for planning and which would mitigate the effect of an incident. Last in the list but possibly the most important is a good back-up strategy. This means identifying what data is crucial and ensuring there are secure copies which would support a quick recovery if the worst happened.

Facebook under pressure

In the face of critical media coverage and demands for Mark Zuckerberg to appear before an international grand committee, Facebook has chosen to contest a £500,000 fine imposed by the UK data regulator. The fine was imposed over the Cambridge Analytica affair, in which the data mining company misused information about 87 million Facebook users. Facebook has admitted making mistakes in allowing the data to be harvested but says there's no evidence that users in the UK were affected. Meanwhile, 8 national parliaments are now demanding Mark Zuckerberg answer questions about possible negative impacts Facebook is having on democratic processes. After Mr Zuckerberg said he wasn't able to be in London for the hearing on November 27, the lawmakers suggested he might like to join by video link instead. They are still waiting for an answer.

In brief

Amazon has told some of its customers that it disclosed their name and email address by mistake (among them security researcher, Graham Cluley). It says the issue is fixed but so far hasn't provided any details.

We like Android devices but we are very cautious about apps, even if they're in the official Play Store. Despite intense efforts, Google hasn't been able to eradicate malicious apps. in the latest example, a researcher found 13 driving-related apps which were installed more than 500,000 times.

Skype for Business can be crashed by sending it large numbers of emojis. Dubbed "Kitten of Doom" by the researchers who found the vulnerability, Microsoft has issued an update to address the issue.

Social network, Tumblr, was removed from Apple's app store because some users posted images of child sexual abuse. Tumblr said its filters had failed to spot the images.

Microsoft has been a leader in finding alternatives to passwords. Now it's enabling users to log in to their accounts without usernames and passwords. Its video explains what it's doing.

Updates

Adobe: urgent updates that address critical vulnerability in Flash Player for Windows, macOS, Linux and Chrome OS. This is in addition to last week's updates. Flash is due to be retired in 2020. Not a moment too soon.

VMWare: security updates for vSphere Data Protection to address vulnerabilities which could be used to take control of an affected system.

AWS: new feature gives users enhanced options to secure access to AWS cloud accounts.

Moodle: update to fix security vulnerability in widely-used open-source learning management system.

Chrome: version 70.0.3538.110 for Windows, Mac, and Linux fixes issue that could be exploited to take control of an affected system.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved